If you are using Symantec DLP, you should be using IT Analytics

Overview of IT Analytics

IT Analytics provides cube based reporting (pivot tables), additional reports, and Key Peformance Indicators (KPIs) for various Symantec products:

  1. Symantec IT Management Suite (Altiris)
  2. Symantec Data Loss Prevention (DLP)
  3. Symantec Critical Systems Protection (CSP)
  4. Symantec Endpoint Protection (SEP)

IT Analytics is developed by Bay Dynamics but is available as part of your Symantec license.  For more information visit: http://baydymanics.com/Products/ITAnalytics/Symantec/

One of the concerns in the past for using IT Analytics has been the requirement for a Symantec Management Platform (SMP also known as Altiris) to be configured first before you install and manage the cubes.  This is no loner the case as there is a stand-alone version of IT Analytics available (this will be covered in a separate blog post).  This post will cover why you should be using IT Analytics for your DLP system.

Why IT Analytics for Symantec DLP

Within the Symantec DLP console there are a bunch of ways to slice and dice the data that is generated in the system (Incidents, etc.) either by filtering the data or by creating various summarizations of the data.  IT Analytics adds several items that are not exposed without having to write a SQL query or leverage the API.  IT Analytics allows for someone who does not have access to the DLP console to run reports against the information.  Also IT Analytics can easily create trending reports to demonstrate how risk is being reduced over time.

Whenever people ask me why I should bother with IT Analytics there are two reports that I point to that demonstrate the value of IT Analytics.

User Action Audting

User Login Report

User Action Auditing - User Action Audting

User Action Auditing Report

The first screenshot (User Login Report) shows which users have logged into the DLP system and the second report (User Action Auditing Report) shows who has changed what policies in the DLP system.  These two reports are requested over and over by customers.  How can I prove to my auditors or management that no one is changing a DLP policy randomly?  This information is coming out of the Oracle Database but without ITA you would have to write a SQL statement and then clean it up to provide auditors or management.

Incident Trend by Product Area

Incident Trend By Product Area

A third common request is “how can I show trends” in my DLP system and the above screenshot shows this trend.

Finally IT Analytics provides Key Performance Indicators (both predefined or custom created) demonstrate how your Symantec DLP system is reducing risk over time and how the system is performing.Key Performance Indicators

How do  I get IT Analytics?

IT Analytics is provided free of charge however a license key and the MSI is needed before you can install ITA..  If you have Symantec Endpoint Protection in your environment the MSI for performing the installation is located on the Tools portion of the media.  However if you are not a SEP customer, please contact either your Symantec Account Manager or Bay Dynamics.  NOTE:  MY company (ITS Partners) can help you obtain the license

Can I install Symantec DLP on a Red Hat Linux system with a pre-defined user name?

Recently I was doing an install of Symantec DLP on a Red Hat Linux box that was a member of LDAP and had the /home folder automounted and didn’t allow for us to write to that folder.  When a new local user was created via the adduser command it would not work without passing a command line option to change the location of the home directory (adduser -b /opt/users/).

During the install of Symantec DLP, the installer creates a user (protect, protect_update) and would fail because the home directory (/home/protect) could not be created.

So the question was asked… Can we create a user, populate the home directory outside of /home and then perform the install of the system?

Answer:  No… The installer for Symantec DLP needs to create the correct users and must be able to write /home when creating the user.  There is currently an enhancement request within Symantec to allow a pre-created account.

4.5 Cool Things about Data Insight 4.5

Symantec Data Insight (DI) can help customers who struggle ith identifying data users and owners for their unstructured data.  DI helps a customer answer the following questions:

  1. Who owns the data?
  2. Who is responsible for remediation of that data?
  3. Who has seen the data?
  4. Who has access to the data?
  5. What data is most at risk?

So what’s new in Data Insight 4.5?  Here are 4.5 (get it???) things that I find awesome in this release:

  1. Self service portal to help make remediation easier:  A portal that allows data owners and/or custodians of data to be able to remediate items directly potentially without the need for IT Security.  Actions can come from either the Data Loss Prevention (Enforce) Console or the Data Insight Management Server depending on the workflow.  A custom can create workflows that are specific to their own environment or use one of the pre-defined workflows such as:
  • Entitlement Review: Review the user permissions on the folders and suggest changes to the permissions
  • DLP Incident Management: Review policy actions and take actions on the files that violate DLP policies without having accounts on the Enforce Console.  Actions are Smart Response Rules that are used to remediate the items that violate a DLP policy.  An example would be triggering a Smart Response rule to encrypt a specific file.
  • Ownership Confirmation: Confirm the ownership of files or folders.  DI will infer the ownershiop of a file, this lets you confirm the file is actually yours.

This portal will be installed on a separate server from the Data Insight Management Console, is a separate                   license and requires DLP 12.5 or higher to be installed.

  1. Additional supported platforms for filers: Data Insight 4.5 now supports the monitoring of NetApp Cluster Mode, EMC Isilon, and Windows Server 2012.  Table 2-4 in the Data Insight Release Notes covers the supported platforms for DI 4.5.
  2. Enhanced Reporting with Data Insight:  There have been improvements and changes to reporting with the addition of some enhanced reports including:
    1. Reports based on User Reporting including the ability to track unresolved or migrated SIDs
    • Additional charts and statistics to help understand what is happening on the Data Insight server(s) in your environment
    • A Health Audit report that runs automatically at 5am that helps you and Symantec Support (if needed) understand any issues in the Data Insight environment.
  1. Enhanced data owner computation: Data Insight can calculate the the owner of a file and then populate that within the DLP console.  In DI 4.5 we can exclude deleted or disabled users (or their SID) when calculating the actual Data Owner.  However if you would like to still display this you can show it on the Inferred Owner report.
  2. Data Insight now provides an API specification for the Data Insight Query Language (DQL): The DQL provides a way to extract and interface with Data Insight data.  This is now available vian an API so you can integrate with 3rd party applications.

 

Welcome back Hex!!!

Years ago I posted about missing Hexonyx and how much I missed that mud.  Over the years the post has generated a number of comments and posts.

One of those comments lead me to this Facebook group and the best part is the mud is back.  So fire up ZMUD or whatever client you are were using so many years ago and join back up.

Bad news is the player file is a bit out of date and you probably don’t have that awesome weapon or awesome piece of quest gear you had last, but come back the memory is still there and just like riding a bike you will quickly be running zones and joining with friends.

Also for a great story of how Hex landed someone a job read here

Configuring User Risk Reporting in Symantec DLP

The User Risk Summary report breaks down incidents based on User and covers email and endpoint incidents  From the help file: “The user risk summary gives you insight into the behavior of specific individuals in your organization by associating users with email and endpoint incidents. This information helps you focus your data loss prevention efforts on those users posing the highest risk to the security of your data.”

There are 3 steps to take in order for the user risk summary report is displayed:

  1. Create custom user attributes
  2. Import user data
  3. View the reports

Create Custom User Attributes

One item to keep clear is the attributes defined here are different then the custom attributes populated by Active Directory as a part of an Incident  These attributes need to be created outside  This has lead to a lot of confusion on my part but needs to be setup

To setup the custom attributes for User Risk Reporting navigate to System -> Users -> Attributes  By default there are now attributes in the system

To add new attribute, select “Add” and then type in the Attribute Name (example: First Name or Department)  These attributes will be populated by the data source (either Active Directory or a CSV file)

The screenshots shows the attributes that are populated in my demo system

Image

Import User Data

Once again this is different than populating the data for incident and needs to be configured separately  We can leverage the existing directory connection that is already being used, or create a new data source

This is found under System -> Users -> Data Sources

Selecting Add presents you with this screenshot

Image

As you can seem I’m using the existing Directory Connection already created, but after I provide a name the data source is ready

Check the box next to the data source and select “Import” to run the import  After the import is complete information will be presented on the User Risk Summary report (if you have incidents)

View the reports

User risk reports will group the Network Incidents and the Endpoint Discover incidents together  These reports will break the incidents down based on severity

Image

If the user is selected then it will present further detail about the types of generated

Image

Symantec Endpoint Encryption is now supported on Ubuntu LTS

Symantec Endpoint Encryption (powered by PGP) has been updated to to version 3.3.  For more information check out the release notes found on Symwise: http://www.symantec.com/docs/TECH201458

Several changes have been made in this release including:

  • Support for Windows 8 on both the 32-bit and 64-bit version

  • Support for Outlook 2013 on the client

  • Support for Red Hat Linux and CentOS 6.3 and 6.4 both 64-bit and 32-bit.

  • Support for Ubuntu 12.04 LTS both the 32-bit and 64-bit versions.

This provides one of the missing parts of what I need to be able to run Ubuntu at my enterprise as we have a requirement to have our drives encrypted by the supported encryption product and have our keys managed centrally.

I hope things like this will see Ubuntu grow into the enterprise from a desktop point of view. Now all we need is integration into an endpoint management tool.

RFC: Ubuntu and Symantec IT Management Suite

Do you use Ubuntu?  Do you use Symantec IT Management Suite?  A recent post on Symantec Connect asked for people who are running Ubuntu to post comments to see if there is interest in adding support for Ubuntu to the product.

For those that do not understand what Symantec IT Management Suite is I will provide a quick overview and then end with a couple of reason as to why I believe this will be a great fit for Ubuntu.

Symantec IT Management Suite (or the product fomarlly known as Altiris) helps with complete management of the endpoints (laptops, desktops and servers) from deployment of the endpoint (imaging), deployment of software and patches, and also tracking the device from an Asset Management point of view.  Some basic portions of IT Management Suite include

  • Bare metal deployment of servers

  • Image deployment of desktops, laptops and servers

  • Software delivery in an unattended way

  • Patch Management (including on the Windows side several 3rd party (non-Microsoft) patches)

  • Full inventory of the device (both hardware and software)

  • Comprehensive reporting on the status device

  • And many other things

My company has been working with Symantec IT Management Suite for almost 10 years and have done a bunch of videos explaining and showing how this product works.

I’ve also written several blog posts about why I believe Ubuntu needs to have more of a focus around the Enterprise and Enterprise tools.  Canonical has developed Landscape, their own product to help with the management of Ubuntu but it is time to leverage an existing management tool to help move further into the enterprise as well.

Here is how ITMS and Ubuntu could work together (in my view)

  • Imaging and deployment of Ubuntu machines across the environment in a standard format

  • Full software and hardware inventory of the device across the entire enterprise

  • Structured deployment of patches across the entire enterprise including reporting on the status of those patches

This would allow for deployment and management across the board in an enterprise and could help